* main.h, seskey.c (encode_md_value): Modify to allow a q size greater

than 160 bits as per DSA2. This will allow us to verify and issue DSA2 signatures for some backwards compatibility once we start generating DSA2 keys. * sign.c (do_sign), sig-check.c (do_check): Change all callers. * sign.c (do_sign): Enforce the 160-bit check for new signatures here since encode_md_value can handle non-160-bit digests now. This will need to come out once the standard for DSA2 is firmed up.
2025-07-02 22:46:30 +02:00 · 2006-03-30 19:20:59 +00:00 · 2006-03-30 19:20:59 +00:00 · 92e1528bf2
commit 92e1528bf2
parent a43c1bc874
5 changed files with 93 additions and 34 deletions
--- a/g10/sign.c
+++ b/g10/sign.c
@ -319,8 +319,17 @@ do_sign( PKT_secret_key *sk, PKT_signature *sig,
      }
    else 
      {
-        frame = encode_md_value( sk->pubkey_algo, md,
-                                 digest_algo, mpi_get_nbits(sk->skey[0]) );
+	/* TODO: remove this check in the future once all the
+	   variable-q DSA stuff makes it into the standard. */
+	if(!opt.expert
+	   && sk->pubkey_algo==PUBKEY_ALGO_DSA
+	   && md_digest_length(digest_algo)!=20)
+	  {
+	    log_error(_("DSA requires the use of a 160 bit hash algorithm\n"));
+	    return G10ERR_GENERAL;
+	  }
+
+        frame = encode_md_value( NULL, sk, md, digest_algo );
        if (!frame)
          return G10ERR_GENERAL;
        rc = pubkey_sign( sk->pubkey_algo, sig->data, frame, sk->skey );
@ -336,9 +345,7 @@ do_sign( PKT_secret_key *sk, PKT_signature *sig,
        if( get_pubkey( pk, sig->keyid ) )
            rc = G10ERR_NO_PUBKEY;
        else {
-            frame = encode_md_value (pk->pubkey_algo, md,
-                                     sig->digest_algo,
-                                     mpi_get_nbits(pk->pkey[0]) );
+	    frame = encode_md_value (pk, NULL, md, sig->digest_algo );
            if (!frame)
                rc = G10ERR_GENERAL;
            else